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“Pressing the buttons has gradually become somewhat of a new technological ritual.” 


In “Innovation”; The Kingfisher Story Collection (2022) 


Abstract 


The rapid advancement of Information Technology (IT) platforms and programming languages 
has transformed the dynamics and development of human society. The cyberspace and 
associated utilities are expanding, leading to a gradual shift from real-world living to virtual 
life (also Known as cyberspace or digital space). The expansion and development of Natural 
Language Processing (NLP) models and Large Language Models (LLMs) demonstrate human- 
like characteristics in reasoning, perception, attention, and creativity, helping humans 
overcome operational barriers. Alongside the immense potential of artificial intelligence (Al) 
are new security loopholes and more complex information security risks. As society is still 
trying to transition to a new phase to adapt to technological changes, the Al revolution 
continues to unfold, necessitating a reconsideration of the trajectory of societal 
transformation as it could exacerbate the aforementioned information security risks. 
Specifically, how should society evolve to keep pace with the transformative impact of the 
current Al technology wave? How can we manage and harness their power while ensuring 
information security as our presence in the virtual world increases? This article aims to shed 
light on and address these questions. 
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1. Technological advancements, security challenges, and information security 


The rapid progress of Information Technology (IT) platforms and programming languages has 
transformed the dynamics and development of human society. Cyberspace and _ its 
accompanying utilities are increasingly expanding, leading to a gradual shift from life in the 
real world to life in the virtual world (also Known as cyberspace or digital space). As of 2023, 
the Internet of Things (loT) has connected approximately 15.14 billion devices globally 
(Vailshery, 2023). On average, each person on Earth now owns about 1.89 devices, nearly 24 
times more than 20 years ago (with an average of 0.08 devices per person in 2003) (Lu & Da 
Xu, 2018). This number is predicted to nearly double by 2030, with about 29.42 billion 
devices connected. The variety of devices will become increasingly diverse, equipped with 
sensor systems or controllers to better interact with humans and integrated with artificial 
intelligence (Al) to assist in decision-making, searching, and transmitting information to users. 


In the context where economic and social activities are increasingly well-connected through 
loT, and soon with the potential integration of Al into almost every aspect of life in both the 
real and virtual worlds, not only individuals but also businesses and nations will face 
unprecedented challenges regarding information security risks (Keck et al., 2022). 


As IT systems, especially the Internet, become integrated into life, a vast amount of 
information will be created, stored, and transmitted, such as personal information, social 
media interactions, business information, transaction data, insurance, health records, etc. 
Once this data is leaked, it can be exploited to defraud and negatively impact the lives of 


individuals, the operations of businesses, and the stability and sustainable development of 
nations. The World Economic Forum’s (WEF) 2023 Global Risk Report ranked cybercrime and 
cybersecurity challenges among the top 10 risks currently and in the future (World Economic 
Forum, 2023). Indeed, cyber-attacks have increased by 600% since the start of the COVID-19 
pandemic, with more than 5.4 billion malware attacks alone in 2022 (RiskXchange, 2023). 
According to Cybersecurity Ventures, cybercrime activities are expected to cause economic 
damage of approximately $10.5 trillion annually starting from 2025. These damages include 
data loss, stolen money, productivity decline, loss of intellectual property, theft of personal 
and financial data, fraud, disruptions following attacks on normal business processes, 
investigation after an attack, restoration and deletion of attacked data and systems, and 
reputation damage (Morgan, 2022). This is just a direct estimate of economic damage without 
considering the indirect impacts on the global economic and social system (Chinh & Hoang, 
2009). 


As society increasingly aims for the convenience and utility of smart cities, integrating a large 
number of electronic devices and software into life to manage assets, resources, and services 
becomes an inevitable trend. Thus, information will be collected from every citizen, device, 
building, and operational system to help monitor and manage traffic systems, power plants, 
water supply systems, waste treatment systems, information transmission systems, schools, 
hospitals, security, and other social services (Musa, 2018; Paiho et al., 2022). With the deep 
and complex linkage of device and software systems, cyber-attacks can quickly paralyze or 
partially paralyze the operation of society and nations or take control of the system if 
cybersecurity is not ensured. Hackers attacking utility management systems and taking 
control of devices, as occurred with the Uconnect system, a digital feature for entertainment, 
navigation, phone calls, and Wi-Fi access in vehicles, in 2015, using a security flaw to remotely 
control the vehicle to shut down or adjust its speed, compromising user safety. This led to 
several US car companies deciding to recall over a million vehicles in use, resulting in 
significant economic losses (Greenberg, 2015). 


Furthermore, the types of information created in cyberspace can be regarded as a new kind 
of resource that facilitates the creation of extremely large and diverse datasets (big data). 
These datasets can be analyzed to identify connections, patterns, and trends in human 
behavior and social interactions. Currently, every minute, there are 6.3 million information 
searches on Google, over 527,000 photos shared on Snapchat, 456,000 tweets on the X 
platform (formerly Twitter), over 46,000 photos uploaded to Instagram, and approximately 
510,000 comments posted and 293,000 new statuses updated on Facebook (Marr, 2021; 
Wise, 2023). Through the use of complex analytical techniques and algorithms, this massive 
amount of data can be utilized to reveal the thoughts, feelings, and behaviors of social media 
users, and employ this information for sophisticated psychological and behavioral 
manipulation schemes (Ho & Vuong, 2023). Moreover, as humans increasingly form 
emotional attachments to characters, assets, and applications within cyberspace, they can 


be more easily influenced in terms of psychology, emotions, and behavior (Mantello et al., 
2023; Vuong et al., 2023a, 2023b). 


A prime example of this is the case of Cambridge Analytica, a consulting firm that collected 
personal data from tens of millions of Facebook users and sold it to campaigns for emotionally 
manipulative political purposes, influencing the outcomes of elections. This scandal not only 
exposed the power held by those in control of information resources, especially technology 
corporations, but also how such power can be used to impact the operation of the economy, 
society, and politics (Liaropoulos, 2020; Nilekani, 2018). 


Most recently, the launch of ChatGPT 3.5 on November 30, 2022, marked the beginning of 
what many experts are calling the “Al era.” Just one month after its debut, ChatGPT attracted 
over 100 million users, making it the fastest-growing software application in history (Hu, 
2023). This user explosion has spurred the release of other competitive Al products, including 
Gemini, Ernie Bot, LLaMA, Claude, and Grok in 2023. In fact, Al technology has been widely 
applied in various aspects of life for some time now, such as in scientific research, healthcare, 
finance, entertainment, education, and transportation. Notable Al-powered applications we 
use almost daily include advanced web search tools (e.g., Google Search) and 
recommendation systems (used by YouTube, Amazon, and Netflix). However, operational 
capabilities (e.g., IT expertise requirements) and accessibility (e.g., high costs) remain 
significant barriers to societal understanding of Al as well as its functions in everyday life. 


The expansion and development of Natural Language Processing (NLP) models and Large 
Language Models (LLMs) have showcased human-like features in reasoning, cognition, 
attention, and creativity, helping humans overcome operational barriers (Lappin, 2023; Vuong 
et al., 2023). Tasks that once required the operation of IT experts can now be completed by 
ordinary people through simple daily language commands. Additionally, Al is becoming more 
powerful and significantly cheaper over time (measured in months), making tasks previously 
unachievable due to high computational costs now widespread (Suleyman, 2023). In other 
words, Al is and will continue to bring an enormous amount of power to human civilization, to 
the extent that Sundar Pichai, CEO of Google, believes its significance surpasses even fire and 
electricity (Clifford, 2018). 


Along with the immense potential of Al come new security vulnerabilities and more complex 
information security risks. As society is still transitioning to adapt to technological changes, 
the Al revolution continues, requiring us to rethink the trajectory of societal transformation 
because it could exacerbate the information security risks presented above. Specifically, how 
does society need to evolve to keep pace with the breakthrough changes brought about by 
the current wave of Al technology? How can we manage and leverage its power while ensuring 
information security as our living space and time in the virtual world continue to expand? 


To contribute to the answers to these questions, the next section of this article will discuss 
the issues and risks affecting information security in the Al era, as well as the role, 
advantages, and opportunities of applying Al for the purpose of ensuring information security. 


Following that, the way humans interact with Al, and the impact of personal Al use rights on 
information security in cyberspace will be examined, laying the foundation for discussions on 
the roles of governments, businesses, and citizens in ensuring information security. Some 
implications for improving information security are eventually provided, with an emerging 
country (i.e., Vietnam) being an exemplary context. 


2. The Era of Artificial Intelligence and Its Impact on Cybersecurity 
2.1. The Impact of Al on Attack and Defense Activities 


Artificial Intelligence (Al) technology has demonstrated its superior potential in automating 
tasks, making predictions, and enhancing efficiency. As a result, Al has revolutionized the field 
of information security. Information security involves the management, monitoring, and 
protection activities carried out to minimize information risks. For the protection and defense 
of personal information, computer systems, and critical infrastructure, the main focus is to 
achieve the CIA triad while ensuring the efficient operation of the protected systems. The CIA 
triad includes (Maalem Lahcen et al., 2020): 


e Confidentiality (C): Protecting data and systems from risks arising from data theft 
activities targeting databases, backups, application servers, and management 
systems. 

e Integrity (I): Protecting data and systems from risks affecting the integrity of 
information and management systems, including hijacking control, altering financial 
data, stealing money, diverting stored information, and harming the organization’s 
brand. 

e Availability (A): Protecting data and systems from Denial of Service (DDoS) attacks, 
targeted Denial of Service attacks, and physical destruction risks. 


The advent of Al has simultaneously increased the cyber attack capabilities of hackers and 
the defensive and security capabilities of network administrators significantly. Thanks to the 
ability to automate repetitive tasks and avoid human cognitive blind spots, machine learning 
algorithms can analyze vast amounts of information to identify security vulnerabilities that 
were previously undetectable (Rao, 2021). From a defensive perspective, the task of 
reviewing and searching for security vulnerabilities previously took a lot of time and effort due 
to the large number of recorded security flaws. Finding unpatched vulnerabilities often relied 
heavily on the experience of white-hat hackers, security technicians, and vulnerability 
scanning tools. This led to systems not being thoroughly reviewed and patched, making them 
quickly discovered and exploited by hackers. Al-based tools can now be used to automate the 
process of identifying these vulnerabilities in software systems, networks, and other digital 
assets before hackers find and exploit them. 


Additionally, Al-powered tools make attacks increasingly diverse and_ sophisticated. 
Cybercriminals use a variety of Al-based tactics to infiltrate personal information systems and 
company networks, such as: 


e Developing advanced malware and ransomware. 

e Conducting stealth attacks. 

e Using Al to Suess complex passwords and break CAPTCHA. 

e Creating deepfake content and impersonating individuals on social media platforms. 
e Utilizing Al frameworks to attack vulnerable systems. 

e Leveraging Machine Learning (ML) to enhance penetration testing. 


Al-based tools can also be used to launch targeted hybrid attacks specifically designed for 
individuals or organizations (Handa et al., 2019). These enable cybercriminals to infiltrate and 
hide within a company’s network for extended periods to carry out stealth attacks. During this 
time, they can establish secret access points to an organization’s critical infrastructure. While 
preparing to launch a broader attack, these criminals could intercept communications, steal 
data, spread harmful software, create accounts with high-level access to infiltrate other 
systems, or deploy ransomware. 


Similarly, phishing attacks have become more sophisticated with Al’s help. Now, it is easy to 
receive a fake email, a phone call, or even a video call, impersonating banks, government 
agencies, or even relatives. Al-generated deepfake information can perfectly mimic the 
security protocols of regulatory bodies or replicate the voice and behavior of impersonated 
individuals. 


Conversely, Al’s ability to learn and predict current and future situations makes it a potent tool 
for updating, developing, and adapting to changes in cybercriminals’ attack methods. For 
example, Al’s capability to analyze and detect malware. Over the past few decades, malware 
has evolved rapidly, leading to advanced malicious software capable of altering its 
structure/code with each infection (Such as polymorphic and metamorphic malware) (Sharma 
& Sahay, 2014). This allows them to breach traditional security barriers like firewalls and 
disable intrusion detection systems. To combat this, Al technologies are becoming 
increasingly popular because they not only help detect malware but also predict and update 
knowledge about new or unclear malware forms (Rieck et al., 2011). Besides analyzing and 
detecting malware, Al is also being developed to recognize and counter phishing attacks, 
spam, intrusions into traffic management systems, and attacks on electrical systems and 
industrial control systems (Handa et al., 2019; Martinez Torres et al., 2019). 


2.2. Some Limitations of Al 


Although Al is regarded as a leading solution for the increasing need for information security, 
it also has some limitations. Firstly, the cost required to develop a bespoke Al system for 
security needs must be mentioned. While not entirely accurate, we can refer to OpenAl’s 
ChatGPT-3 model as an example. Analysts and technologists estimate that training a language 


model like ChatGPT-3 could consume over 4 million USD (Vanian & Leswing, 2023). Moreover, 
to undertake this training process, a company must have access to the necessary experts, 
machinery, data, and databases. This is almost beyond the reach of most individuals and 
small and medium-sized enterprises. 


Of course, the cost of using Al models provided by technology companies will be much lower. 
For example, Microsoft offers the security system Copilot. This software is developed based 
on GPT-4, the largest current language model from OpenAl - in which Microsoft has invested 
billions of USD - and a specific security model that Microsoft has built by using the operational 
data it collects daily (Novet, 2023). Microsoft plans to charge a fee of 4 USD for each “security 
compute unit,” and users can buy only what they need for their security requirements (Novet, 
2024). However, this lower cost comes with another information security risk: the user’s 
security environment information will be collected by technology companies. Microsoft itself 
has admitted that: “The [Copilot] system will know about the customer’s security environment, 
but that data will not be used to train models” (Novet, 2024). While Microsoft commits not to 
use the collected data for “model training” purposes, they did not specify other purposes 
beyond “model training.” If users and businesses do not care about this because their 
operations are not affected, the information collected from millions of users and hundreds of 
thousands of companies will be valuable for espionage and manipulation activities on a 
national and regional scale. It is frightening to think that we pay to enhance security yet allow 
the security service provider to know all the vulnerabilities in our systems. 


Additionally, as Al is more widely applied to security work, more non-traditional security 
vulnerabilities will emerge. Al provides the ability to make automatic and continuous decisions 
over long periods, helping to detect malware or anomalies in the system. However, to do this, 
Al must be trained to differentiate signs of malware or abnormalities. Cybercriminals can 
exploit this training phase to adjust the output of the classification model, thereby 
manipulating the Al system to allow malware or malicious code into the system (Biggio, 
Fumera, et al., 2013; Handa et al., 2019). These types of attacks can be divided into two 
categories (Biggio, Corona, et al., 2013): 


e Poisoning attacks: The attacker affects the training data, changes the training process, 
and damages the classification performance of Al. 

e Evasion attacks: The attacker uses strategies to probe or perform offline analysis to 
find information that helps them manipulate the judgment of the classification system 
without having to impact the Al’s training process. 


While Al can provide powerful solutions for security purposes, it is not infallible. Al still needs 
to be controlled and governed by users, so security systems will always have potential 
vulnerabilities caused by human error. These human errors can be classified based on the 
consequences and intentions of the actor (Maalem Lahcen et al., 2020): 


e Unintentional human error: Errors arising from a lack of knowledge or operational 
skills. 


e Intentional human error: Errors caused by a user who is aware of the risky behavior 
but still acts on it or misuses the system. Such actions do not necessarily cause 
immediate loss to the organization but can still violate current laws or privacy rights. 

e Malicious human error: The worst type of error because it is committed with the specific 
intent to harm the system. 


Since the operators and controllers of data and systems are outside the Al system’s scope of 
control, security vulnerabilities can still arise from deliberate sabotage behaviors within the 
internal team (or the operators themselves) (Maalem Lahcen et al., 2020). Sometimes human 
decisions and behaviors are irrational and unpredictable, influenced by anger, frustration, and 
job dissatisfaction, leading them to carry out intentional sabotage (malicious error), unsafe 
interventions (intentional error), or commit “naive” errors due to carelessness (unintentional 
error), etc. (Stanton et al., 2005). According to the 2023 Insider Threat Report, 74% of the 
surveyed cybersecurity experts feel that data and system security is vulnerable to internal 
threats. Furthermore, 74% of respondents also mentioned that insider attacks have become 
more frequent in the past 12 months (Insiders, 2023). 


3. As Artificial Intelligence Becomes Stronger, the Human Factor Becomes More Important 


Over the past decade, Al has developed rapidly and achieved breakthroughs, surpassing 
human capabilities in various fields and tasks (Henshall, 2023), including some aspects of 
information security. Although Al’s computational abilities are increasing, the functions or 
products created by Al are still directed and decided by humans (through model training 
processes and direct commands to Al). In other words, the faster Al develops, the more it 
amplifies the capabilities and power of its users (or those it serves). This can lead to two 
issues. 


Firstly, the power Al brings provides users with more choices. Tasks that were previously 
unattainable due to knowledge, ability, strength, and time limitations can now be 
supplemented by Al, requiring only learning to control Al effectively. However, why is this a 
problem? The issue is that they might choose to use Al for malicious purposes, such as 
conducting scam attacks, ransom attacks, creating malware, etc. This contributes to creating 
more information security risks in the future when someone with no security expertise can 
quickly become a black-hat hacker if they know how to control Al for cyber-attack purposes. 
The consequences could be worse if such hackers suddenly emerge from within an 
organization or company. 


Moreover, the greater the power Al provides to users, the more significant their impact on 
everything around them. As previously discussed, despite Al’s extremely powerful security 
capabilities, risks from human-caused vulnerabilities will always exist. If humans err in 
operating Al, the consequences of that error could be much more severe. For instance, human 
errors, whether accidental or intentional, that make the training data for Al’s classification 
model inaccurate could exponentially increase the security risks due to Al’s principle of 
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continuous automatic operation over a long period, with human intervention being difficult 
(and costly if feasible). If Al continues to develop at a rate exceeding all predictions as it is 
now, its integration into every aspect of daily life for individuals, businesses, and nations, both 
in-depth and breadth, could soon become a reality (Henshall, 2023; Stacey & Milmo, 2023). 
Especially with the emergence of cyber-physical systems, like smart grids, autonomous 
vehicles, medical monitoring, industrial control systems, robotics, etc., the gap between the 
real and virtual worlds will continue to narrow. Then, impacts in the virtual world will have the 
potential to affect the real world directly. A single error in Al’s automatic operation process 
caused by humans (especially in security issues) could lead to severe, unforeseeable 
consequences. 


Both of the above issues stem from a change in the structure of power within society 
(Suleyman, 2023). Here, power can be understood as “the ability to create or prevent change” 
(Green, 1998). Therefore, to achieve information security in the Al era, we need a clearer 
understanding of the human and societal factors in the development and operation of Al, 
especially issues related to individual’s freedom, power, and responsibility, the role of 
regulatory organizations and the state, and the responsibility of technology companies. 


4. Social Structure Shift and the Concept of Freedom in the Al Era 


To better understand the role of human factors and social structure in information security in 
the Al era, it is necessary to consider from the most fundamental components of social 
structure: individual thoughts, decisions, and behaviors. As the social structure is shifting from 
a phase without Al to a phase where Al is integrated into all aspects of life, the Mindsponge 
theory is used to clarify the issue thanks to its dynamic explanation capability centered around 
interaction with information. 


The Mindsponge theory posits that each individual is a biological information storage and 
processing system (or an information collection-cum-processor) capable of making decisions 
and behaviors to interact with their environment (including natural, social, cultural, political, 
and technological environments) (Vuong, 2023). The operation of the information processing 
system includes the process of evaluating costs and benefits with the goal of optimizing 
perceived benefits and minimizing perceived costs (Vuong et al., 2022). These cost and 
benefit evaluations are influenced by the objectives and priorities of the system, as well as 
following the principle of energy conservation of organisms. The most basic purpose or priority 
of the system is to ensure the prolongation of the system’s existence in one way or another, 
including survival, growth, and reproduction (Vuong, 2023). Through the Mindsponge 
information processing lens, we can envision that each individual’s perception of power (the 
perception of the ability to create or prevent change/impact) is the product of information 
processing and interaction with their surrounding environment. Perceptions of power have 
limitations due to observations from objective reality and individual subjective evaluations 


related to knowledge, capability, strength, assets, social status, and time (Nguyen et al., 
2023). 


As Al begins to emerge and is applied in society, individuals will gradually observe the benefits 
that Al brings from an objective reality and choose to use them. Through the process of 
interaction and information exchange with Al, the initial perceptions (before knowing Al) 
gradually transform. These perceptions include those of the individual’s own limits in 
knowledge, skills, strength, and time. With Al, individuals now have the ability to do things they 
previously could not or did not think of due to objective limitations in knowledge, skills, 
strength, and time. For example, someone who never knew how to draw or about computer 
programming can now easily create artistic images or computer programming codes by 
leveraging Al. Moreover, Al Deepfake now gives them the power to quickly and easily create 
realistic fake content, such as fake images and videos of other people’s faces and voices. 


When the objective power (or the ability to create or prevent change) (Green, 1998) of 
individuals is rapidly increased with the help of Al, it means the set of possible actions for that 
individual is also increasing. In other words, the overall freedom of the individual increases 
(Pansardi, 2012). Without accurate management mechanisms, this can significantly increase 
information security risks (as explained in Section 3). 


In reality, an individual’s overall freedom in society is limited by social systems. Although they 
have the capacity to perform a set of actions, due to the prevention or influence of other 
individuals or groups in society (through laws, rules, culture, or ethics), they do not perform 
some of the actions they are capable of (Kramer, 2008; Pansardi, 2012). From the 
Mindsponge theoretical perspective, the individual has the objective capability to perform 
actions but does not do so due to their subjective cost evaluations (created by others through 
laws, rules, culture, or ethics) (Nguyen et al., 2023; Vuong, 2023). 


Currently, as the emergence of Al in life is still new and its future development remains 
uncertain, cultural norms and ethics around Al usage remain controversial and undefined. 
Meanwhile, the world’s first law on artificial intelligence management was only approved by 
the European Union on August 13, 2024 (Liaropoulos, 2020). Therefore, we need a deeper 
understanding of the shift in social structure due to the change in power and the level of 
freedom that Al brings on a large scale to be able to deploy appropriate mechanisms to control 
power and regulate freedom. 


Usually, these power control mechanisms are managed and deployed by the state. But why 
would individuals agree to lose some of their freedom, or in other words, allow the state to 
limit their own power? 


This can be explained through the Social Contract Theory (Hobbes, 1894; Locke, 1967; 
Rousseau, 2016). This theory suggests that individuals collectively form a body with authority 
(e.g., the state) and relinquish a portion (even all under certain severe conditions concerning 
the survival of the social collective) of their freedom to this entity to manage and fulfill their 
responsibilities as described in the law. In return, the authority must provide those individuals 
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within the collective with the benefits of political and social order, such as stability, personal 
safety, and property (Bierens et al., 2017; Boucher & Kelly, 2003; Liaropoulos, 2020). With 
the emergence of private companies in the 20th century, a third party was added to the social 
contract (Liaropoulos, 2020). They are seen as a legal entity in a country with the goal of 
maximizing profit, through which they create a development incentive for society (e.g., creating 
jobs, wealth, promoting innovation, etc.). However, private companies are not allowed to harm 
the social contract between citizens and the state; hence, the state has the right to apply 
specific laws and regulations to private companies while considering other factors, such as 
market competition between companies and the public. If a company becomes a monopoly 
or near-monopoly, government laws and regulations need to be strengthened by the state to 
control (Bierens et al., 2017; Liaropoulos, 2020). 


However, the information revolution, and most recently, the emergence of Al, has made the 
world hyper-connected and changed the power structure in society by enhancing the power of 
those who can access and utilize Al. This leads to the question of whether national 
governments are capable of maintaining political order and social stability. If so, to what extent 
and scope, since the virtual space is almost without borders? Conversely, when individuals 
have gained the unimaginable power of Al, meaning their overall freedom has increased 
widely, are they still willing to trade that freedom for social stability as before? If so, how much 
freedom are they willing to trade to optimize the benefits they perceive? What happens if 
community behavior rules shared on information platforms become conflicted with intrinsic 
social contracts, eroding ethical systems and becoming super rules capable of causing 
widespread super-cultural conflicts? 


Moreover, currently, governments do not have effective tools to limit the power of users 
multiplied by Al and other information technologies, as the main providers of these services 
are leading multinational technology corporations, such as Microsoft, Meta, Google, etc. More 
profoundly, these corporations hold most of the digital assets (data, software) and the 
infrastructure to operate digital technologies and Al (Nilekani, 2018). Most internet search 
data is stored by Google, while Meta (previously Facebook) dominates social networking with 
over 2 billion users. With the vast number of users and the huge amount of data obtained 
from them, although these conglomerates do not own much physical property, have no police, 
courts, or similar state institutions, they still have the ability to control information sources, 
influence opinions, and even manipulate the psychology and behavior of a large number of 
users (Shadmy, 2019). 


In an era of exploding information technology and Al, the change in the power structure of 
society's components is happening. The transformation, even an upgrade, in the social 
contract is necessary for society to adapt and even evolve, but it must also ensure political 
and social stability, within which information security is an essential part. Social contracts that 
only involve individual governments are unlikely to be sustainable. Therefore, the social 
contract needs coordination and connection among parties through cooperation between 
governments, supranational organizations, public-private partnerships, citizens, non- 
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governmental organizations, and private companies (especially technology conglomerates) 
(Liaropoulos, 2020). 


5. Awareness, Investment in Cybersecurity, and Some Recommendations 


Cybersecurity and information security play a crucial role in modern socio-economic activities 
and national protection (Nash-Hoff, 2012). In the context of globalization and economic 
integration, the relationship between the economy, especially e-commerce, and national 
security has become increasingly intertwined (Okhrimenko et al., 2023). As technology 
advances and the space and time people spend in the virtual world increase, with cyber- 
physical systems being deployed and operated more broadly in the global economy and social 
activities, protecting information becomes an essential need to ensure not only information 
security but also sustainable development and national security. 


The rapid development of Al has shown superior potential in the field of information security, 
but it also brings significant concerns, as hackers could also use Al for cyber-attacks or fraud. 
This invisibly creates a race between the defense and the attacking sides: whoever can 
develop better, faster, and more effectively utilized Al will have more advantages. Therefore, 
focusing resources on developing Al for use in cybersecurity needs to be a priority investment 
to ensure the countries’, businesses’, and individuals’ assets (information) are not lost or 
exploited illicitly for malicious purposes or espionage. However, investment efficiency issues 
also need to be carefully considered to avoid ineffective investment and waste (Vuong, 2018). 


Investing in new Al models will be very costly and beyond the affordability of most businesses, 
especially in emerging countries like Vietnam. Moreover, Al is a machine learning system, so 
it needs continuous training and updating with new features and algorithms to ensure the 
system can respond to increasingly sophisticated and customized attack methods of cyber 
criminals. Using Al models developed by large technology corporations, like Microsoft, will 
significantly reduce security-related costs. However, this approach will expose all security 
weaknesses to the Al service providers. If this happens on a large scale, it could lead to 
espionage and manipulation risks at the national level. Therefore, the government needs 
specific support policies and programs to collaborate with domestic cybersecurity businesses 
to develop their own Al security systems, alongside using external service providers for types 
of data and information systems that do not significantly affect national security. Faced with 
national security challenges, this collaboration fundamentally has to eliminate purely 
commercial conflicts of interest while still ensuring legitimate interests and intellectual 
property rights. 


Currently, information safety and security in Vietnam are witnessing § significant 
advancements. In 2023, Vietnam aims to become a “cybersecurity powerhouse” by 2025, 
focusing on the development and export of cybersecurity products and services. The country 
is also concentrating on building a high-quality workforce in this field (Anh, 2024). Vietnam 
has cybersecurity companies and organizations capable of providing professional security and 
information safety services, such as Viettel, Vietnam Cybersecurity Technology JSC, HPT 
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Information Technology Services JSC, CMC Technology Group JSC... Moreover, Vietnam is a 
participant in the World Online Authentication Alliance (FIDO), accessing advanced non- 
password authentication technologies and trends, and hosting the International Cybersecurity 
Day Vietnam 2023 Conference and Exhibition (Tap chi An toan thong tin, 2023). These are 
very useful prerequisites for Vietnam to deploy and develop a dedicated Al model for security. 


From a business perspective, awareness of security and information safety in enterprises is 
not yet profound. Most Vietnamese companies still use an “ad-hoc” IT team for both system 
development and security tasks instead of hiring professional entities. Efforts to prevent 
malicious information are weak and flawed. The maturity level of cybersecurity in businesses 
is not commensurate with the threat to information safety. The recent cyber attack on 
VNDirect, one of Vietnam’s leading securities companies, which resulted in their system being 
taken down, reveals a concerning truth: awareness about information security and safety 
among many businesses remains significantly limited. This situation has led to a scenario 
where the economic damage suffered by the company post-incident is vastly greater than 
what the cost would have been for investing in professional information security measures 
from the outset (vnexpress.net, 2024). A 2021 McKinsey cybersecurity maturity survey of over 
100 companies across various sectors showed a correlation between cybersecurity maturity 
levels and profit margins. This indicates that effective cybersecurity strategies can contribute 
to the overall financial health of a company (Eiden et al., 2021). Therefore, Vietnamese 
companies need to be more serious about investing in cybersecurity measures, especially in 
the Al era, where cybercriminals can quickly develop both in quantity and quality. 


As Al becomes stronger and more versatile, the human factor becomes extremely important 
because it will help determine the effectiveness of Al applications and resilience against 
information security risks. Therefore, in addition to investing in developing Al models for 
security purposes, activities to raise awareness about the importance of information and the 
risks of information exploitation, as well as training and educating the public, businesses, and 
government agencies on how to protect information and information systems also need to be 
emphasized. In this way, individuals, businesses, and government agencies participating in 
cyberspace activities will have the awareness and ability to protect themselves against 
security risks, thereby contributing to the sustainability of the national information space. 
Indeed, information security issues are increasingly prevalent in Vietnam. Examples include 
recent scams on applications like Zalo and Telegram, or the emergence of deepfake 
technology in fraud cases (Son, 2023). 


No matter how perfect an Al-integrated security system is, it will always have the potential to 
overlook vulnerabilities caused by human error. One notable issue is the lack of full 
compliance with information safety regulations by some government agencies. This is evident 
when simply searching for keywords like “gambling” or “football” on state agency domains, 
which can reveal hacker intrusions and the appearance of unwanted content. These security 
incidents not only lead to the dissemination of inappropriate information but also pose a 
significant risk if hackers exploit them to disseminate false information or engage in 
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fraudulent activities, causing serious consequences. This issue requires timely remedial 
measures to enhance the safety and security of government agencies’ information systems. 


Vietnam also needs to recognize the importance of developing human resources in the field 
of information technology and cybersecurity (Vuong et al., 2019). There are already some 
universities actively incorporating Information Security subjects into their curricula. However, 
both the quantity and quality of these courses have not yet truly met the demand and are still 
at a preliminary stage. To keep pace with the rapid development of technology, the content of 
these courses, along with the faculty, needs to be continuously updated to meet new 
technological advancements and adapt to current trends. This not only provides necessary 
knowledge and skills to students but also contributes to enhancing the overall capacity of the 
information technology and cybersecurity sectors in Vietnam. Additionally, the government 
and universities should guide and promote social science, psychology, and behavioral 
research related to cybersecurity issues, as humans remain the most crucial and also the 
most vulnerable link in achieving comprehensive information security goals. Currently, the 
number of studies on this issue remains limited (Maalem Lahcen et al., 2020; Payne & 
Hadzhidimova, 2018). 


In summary, strengthening compliance with information safety regulations, countering new 
forms of scams, and improving awareness of information security within the business 
community are areas that need attention. At the same time, developing high-quality human 
resources in this field, especially through updated and specialized university teaching 
programs, will be key for countries, especially emerging ones like Vietnam, to strengthen their 
socio-economic security and continue to advance in the Al era. 
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